iPhone VPN app security debate continues, as Apple says it’s fixed, and ProtonVPN says not

A debate about whether iPhone VPN app security is flawed continues today, with Apple insisting it has offered a fix since 2019, while ProtonVPN says that it’s only a partial solution.

The controversy began when a well-known security researcher said that iOS virtual private network (VPN) apps are broken, due to a flaw that he claims Apple has known about for at least two and a half years. This backed a previous report by ProtonVPN …

If you’re not familiar with how VPNs work, please check out the brief primer in yesterday’s post.

iPhone VPN app security issue

As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.

But security researcher Michael Horowitz did some testing, and found that not all existing connections were closed when a VPN app is activated. That means that some data continues to be sent over an unsecured link. This was true of multiple iOS VPN apps on multiple devices.

In some cases, those insecure connections can persist for a few minutes. This is already a big deal because some people activate their VPN immediately before doing something sensitive, but Horowitz found that some connections can remain up for hours. This includes Apple’s own push notifications.

His tests backed up a 2020 complaint by ProtonVPN. They discovered the problem in iOS 13.3.1, and say that the flaw remains in place today.

Proton notified Apple, but says that it failed to take any action.

Apple says it has offered a fix since 2019

Apple announced what appeared to be a way for VPN app developers to solve the problem in a WWDC session in 2019 (video).

var includeAllNetworks: Bool { get set }

If this value is true and the tunnel is unavailable, the system drops all network traffic. The default value is false.

However, for some reason, it is off by default. It’s unclear why this would be, and why it seemingly hasn’t been implemented by any of the VPN apps tested.

Proton says it is only a partial fix

Proton told me that it was aware of the claimed fix, and had tested it at the time. However, the company found that it was only partially effective. Insecure connections to some Apple services remain in place after a VPN is activated.

Proton founder and CEO Andy Yen said that they made the decision to make the flaw public after Apple told them it would not be offering a full fix.

“The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”

Confusion remains

Horowitz additionally pointed out that even iOS doesn’t seem to know whether or not a VPN service is active.

We’ve again reached out to Apple for a response to the latest episode in the iPhone VPN app security issue.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news: